In March 2025, a sweeping executive order from the White House gave the Department of Government Efficiency (DOGE) unprecedented authority to consolidate federal data systems. On its surface, the order aimed to eliminate “information silos” by enabling data-sharing across agencies. In practice, it concentrated millions of Americans’ most sensitive personal records into a single, centralized system with limited transparency and oversight. These records include Social Security numbers, tax filings, biometric identifiers, and detailed health information.
This marks a major shift in how the federal government collects, stores, and manages personal data. Privacy experts, civil liberties advocates, and several members of the judiciary have raised urgent concerns. Lawsuits have already been filed. In June, the Supreme Court allowed DOGE to access extensive records held by the Social Security Administration but delayed the implementation of key transparency requirements. At the same time, a federal judge issued a preliminary injunction to block DOGE from accessing data in several other agencies, citing insufficient justification and potential misuse. In Congress, lawmakers have introduced new legislation to modernize the Privacy Act of 1974, but progress has been slow.
Meanwhile, nearly half of U.S. states have passed their own consumer data privacy laws. These laws vary widely in their protections, definitions, and enforcement mechanisms. None of them match the scope or strength of the European Union’s General Data Protection Regulation (GDPR), which remains the global benchmark for data privacy. For most Americans, privacy protections still depend on where they live, what businesses they interact with, and which types of data are involved.
The federal government’s move toward data centralization, combined with the inconsistent protections offered by state laws, has highlighted gaps in the current privacy landscape. A national privacy law could offer a more consistent framework for how personal data is collected, used, and shared, while also supporting individual rights and clarifying federal oversight.
This article will explore three key areas:
- How recent developments involving DOGE have intensified the need for national legislation
- Why existing state laws cannot provide meaningful or consistent protections
- What barriers continue to block the passage of a comprehensive federal data privacy law
The Risks of Government Data Consolidation
DOGE’s authority reshapes how federal agencies handle personal data
The Department of Government Efficiency (DOGE) was originally created to streamline federal operations, but its 2025 mandate to break down “information silos” has significantly altered how federal agencies collect, manage, and exchange personal data. Under the executive order signed on March 20, DOGE was empowered to audit inter‑agency data flows, override redundant storage systems, and deploy a central technical team embedded across civilian agencies charged with designing shared infrastructure. This order instructed agency heads to grant federal officials designated by the administration full access to all unclassified agency records, data, software systems, and IT systems, and directed agencies to rescind rules that restricted such data sharing.
DOGE is now quietly engineering what critics call a cross‑agency “master database” combining data from the SSA, IRS, HHS, OPM, and other departments, without clear limits or public disclosure of privacy protocols. As reported by Nextgov, oversight leaders and privacy advocates have raised alarms over the scope of this initiative, citing the potential for misuse and lack of transparency.
Although the order emphasizes modernization and efficiency, it lacks specific guidelines on consent, access controls, or privacy impact assessments. As a result, large volumes of personal data that were once stored under separate agency-specific rules and purposes are now being combined into shared repositories with unclear boundaries. The underlying assumption is that federal data can be treated as a pooled resource for improving service delivery, but critics warn that this approach treats individual privacy as a secondary concern.
Mixed judicial rulings highlight legal uncertainty
In June 2025, the U.S. Supreme Court issued a 5–4 ruling that upheld DOGE’s access to Social Security Administration records under current law. The Court declined to require enhanced transparency or oversight measures that privacy advocates had pushed for, effectively allowing the government’s data consolidation efforts to continue largely unimpeded.
However, shortly after, a federal judge in Washington, D.C., issued a preliminary injunction blocking DOGE from accessing certain sensitive data sets at the Departments of Education and Labor. The judge found that DOGE had not sufficiently justified its need for the information and failed to meet procedural requirements under the Privacy Act of 1974. This ruling signaled growing judicial concern about the rapid pace and breadth of data centralization.
Together, these mixed rulings underscore the legal uncertainty surrounding federal data consolidation. While DOGE has secured broad access to key databases, courts are increasingly scrutinizing the limits and safeguards of that access. This fractured judicial response highlights the need for clearer, updated federal privacy legislation to resolve ambiguities and protect individuals’ rights.
Legislative reform aims to modernize outdated privacy law
In response to public concern, Democratic lawmakers introduced the Privacy Act Modernization Act of 2025. This proposed legislation seeks to update the original 1974 law to reflect modern data practices and risks. The bill would narrow the broad exceptions that currently allow inter-agency data sharing, define personal data more comprehensively in the context of artificial intelligence and machine learning, and expand individual rights over their federal records. It would also establish penalties for unauthorized use or mishandling of personal data.
Although the proposal has received support from civil liberties organizations, it faces opposition from lawmakers aligned with the current administration. With DOGE’s consolidation agenda enjoying backing from the executive branch, meaningful legislative reform may be difficult to achieve in the near term.
Centralized data increases systemic risk and undermines oversight
Federal data consolidation may be framed as a modernization effort, but in practice it creates a single point of failure, both technically and democratically. The 2015 Office of Personnel Management breach, which exposed personal data from more than 22 million federal employees and contractors, showed how vulnerable government systems can be. DOGE’s current strategy brings together even more sensitive and wide-ranging information into shared environments, without a corresponding increase in oversight, public consent, or transparency. Experts caution that this approach not only raises the stakes of a breach but also blurs lines of accountability when data is misused.
In addition to security concerns, consolidation undermines key privacy principles such as purpose limitation and data minimization. These principles are meant to restrict the use of personal information to clearly defined objectives and to prevent unnecessary or prolonged retention. When agencies merge records into shared infrastructures, it becomes easier for that data to be used in ways that were never originally intended. Over time, individuals lose the ability to understand how their data is being used or challenge decisions made with it. This erosion of agency contributes to a growing distrust in government institutions.
Laws like the E-Government Act of 2002 and the Federal Information Security Management Act (FISMA) provide basic security and operational requirements, but they were not built to handle the privacy implications of large-scale data integration. These statutes focus primarily on safeguarding systems, not on limiting or overseeing how data is shared across agencies. Without a stronger and more current privacy framework, the federal government continues to operate in a legal environment where technological efficiency is prioritized over individual rights.
GDPR versus U.S. State Data Privacy Laws
U.S. privacy laws remain fragmented across states
As of mid-2025, 20 U.S. states have passed comprehensive consumer privacy laws, including California, Colorado, Virginia, Connecticut, Texas, Florida, Utah, Oregon, and others. These laws generally provide consumers with rights to access, delete, and restrict the use of their data, but they vary widely in definitions, thresholds, and enforcement. For example, California’s Consumer Privacy Rights Act (CPRA) imposes stricter obligations on businesses and includes a dedicated enforcement agency, while states like Iowa and Utah offer more limited protections. According to a 2024 review by White & Case, this inconsistent patchwork complicates compliance for businesses and results in uneven protections depending on where consumers reside.
Many of these laws also differ in how they define concepts like “sale” of data or “sensitive personal information.” As the UC Law Review notes, some laws only apply to companies that meet high thresholds for annual revenue or number of records processed. Others lack strong enforcement mechanisms or private rights of action, leaving large gaps in accountability.
GDPR establishes a unified, enforceable framework
In contrast, the General Data Protection Regulation (GDPR) provides a single, comprehensive framework that applies uniformly across the European Union. Organizations must identify a lawful basis for processing personal data and are required to obtain affirmative consent in many cases. GDPR also gives individuals rights to access, correct, erase, and port their data, and to object to automated decision-making.
The GDPR applies to any organization processing data on EU residents, regardless of where the organization is located. It includes strict data governance requirements, such as conducting data protection impact assessments and appointing data protection officers in certain situations. These requirements ensure transparency and consistency across sectors and borders. As Fieldfisher highlights, GDPR’s centralized framework contrasts sharply with the fragmented approach in the United States.
Enforcement and financial consequences differ dramatically
The enforcement landscape under GDPR is also significantly stronger. The regulation allows for fines of up to €20 million or 4 percent of a company’s global annual revenue, whichever is higher. In 2023, for instance, Meta was fined €1.2 billion by Ireland’s Data Protection Commission for violating cross-border data transfer rules.
Enforcement in the U.S. is more decentralized. The Federal Trade Commission (FTC) handles many privacy cases but is limited by its statutory authority. State attorneys general can enforce state privacy laws, but few have specialized agencies or significant resources. Most state laws also cap fines at far lower levels than GDPR, and only a few provide individuals with the right to sue for violations. This disparity in enforcement power reduces the deterrent effect of U.S. laws and limits recourse for affected individuals.
Why state-level laws fall short
U.S. state laws also fall short by excluding most data collected by government agencies. These laws typically regulate only the private sector, meaning that federal and state agencies are not subject to the same transparency or consent standards. This is a critical gap in the context of DOGE’s data consolidation efforts, which involve large-scale sharing of personal data across federal systems.
Further, most U.S. state laws rely on an opt-out model for data sharing and targeted advertising, rather than the opt-in model required under GDPR. This difference has sparked a growing divide between states that prioritize business interests and those seeking stronger consumer rights.
Without a national law, the United States continues to operate with a fragmented privacy landscape where rights vary by geography, legal interpretations are inconsistent, and enforcement is often limited. The contrast with the GDPR illustrates the need for a unified, enforceable federal standard that protects all individuals equally and ensures accountability across sectors.
Barriers to Enacting a Federal Privacy Law
Political division over private right of action and state preemption
Despite broad recognition that a federal privacy law is needed, major political disagreements continue to block progress. According to the International Association of Privacy Professionals, two issues are particularly difficult: whether to allow individuals to sue for privacy violations directly, and whether a federal law should override (“preempt”) stronger state-level protections. Privacy advocates argue that private rights of action are essential for meaningful enforcement, while industry groups oppose them due to concerns over litigation risk. Similarly, states with strong protections like California fear that federal preemption could reduce their privacy standards.
Industry resistance and complexity of compromise
Tech and advertising industry groups have pushed back against federal proposals that could impose burdensome obligations on businesses. They support the idea of a national framework but insist on clear thresholds and exemptions to shield small businesses from undue liability. The American Privacy Rights Act (APRA), a bipartisan proposal introduced in 2024, ultimately lost support after revisions removed civil rights protections and drew opposition from both privacy advocates and industry stakeholders.
Legislative inertia and shifting priorities
Over the past two decades, several bipartisan federal privacy bills, including the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA), gained momentum in Congress but never progressed to final votes. Legislators frequently cite unresolved tensions over enforcement mechanisms, alignment with state laws, and competing legislative priorities such as healthcare reform, AI regulation, and national security. These issues continue to impede consensus on a federal privacy framework.
Divided public and political will
Even as legislative reform stalls, public interest in federal privacy protections remains divided. While industry groups signal support for clear national standards, they continue to resist private enforcement mechanisms like individual lawsuits, fearing potential litigation exposure. On the other hand, privacy advocates emphasize that meaningful enforcement requires litigation rights beyond government action.
Conclusion: Protecting Data Requires a National Solution
Federal data consolidation, combined with a patchwork of state privacy laws, has created an environment where individuals have limited visibility and control over how their personal information is used. Agencies are now sharing and combining data across systems in ways that outpace current laws and oversight mechanisms. Without clear, national standards for data privacy, the rules vary by state and depend heavily on the discretion of federal administrators.
A federal privacy law would establish consistent protections, clarify responsibilities, and help ensure that public institutions are accountable for how they handle sensitive information. It would also give individuals the ability to understand and influence decisions about their own data. As digital infrastructure becomes more integrated across agencies and sectors, the need for this kind of legislation becomes more urgent. A strong federal privacy law is essential to protect rights, promote transparency, and maintain public trust in the institutions that serve us.
